<!--
  ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
  ~
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~ http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->

<div class="main-content">
    <h2>Getting Started</h2>

    <p>WSO2 API Manager is a complete solution for publishing APIs, creating and managing a developer community, and
        for scalably routing API traffic. It leverages proven, production-ready, integration, security and
        governance components from WSO2 Enterprise Service Bus, WSO2 Identity Server, and WSO2 Governance Registry.
        Moreover, it is powered by API Manager Analytics, thereby making WSO2 API Manager ready for any
        large-scale deployments right away.
    </p>

    <p> The REST API is implemented based on REST best practices and specifications as a CXF REST web application running on WSO2 API Manager.
        API development is started with a swagger specification with a contract-first approach.
        Please see <a href="https://raw.githubusercontent.com/wso2/carbon-apimgt/v6.5.176/components/apimgt/org.wso2.carbon.apimgt.rest.api.publisher/src/main/resources/publisher-api.yaml">full swagger definition</a> which is written using swagger 2.0.
        This can be also retrieved from the Web app itself using the URL
        <code>https://&lt;host-name[:port]&gt;/api/am/publisher/v0.16/swagger.json</code>
    </p>

    <p>
        The API comes with a pluggable security mechanism. Since API security is implemented as a CXF
        handler, if you need to plug a custom security mechanism, you can write your own handler and add it to the
        web service.
    </p>

    <p>
        Before invoking the API with the access token, obtain the consumer key/secret key pair by calling the
        dynamic client registration endpoint. You can request an access token with the preferred grant type. An
        example is shown below (In this example, the payload.json is saved in the same directory where the curl command is executed),
    </p>

    <div class="pre"><code class="bash">curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d @payload.json https://localhost:9443/client-registration/v0.17/register</code></div>
    <br/>

    <p>
        Sample request:
    </p>

    <div class="pre"><code class="json">{
        "callbackUrl": "www.google.lk",
        "clientName": "rest_api_publisher",
        "owner": "admin",
        "grantType": "password refresh_token",
        "saasApp": true
        }</code></div>
    <br/>

    <p>
        Sample response:
    </p>

    <div class="pre"><code class="json">{
        "callBackURL": "www.google.lk",
        "jsonString":
        "{
        \"username\":\"admin\",
        \"redirect_uris\":\"www.google.lk\",
        \"client_name\":\"admin_rest_api_publisher\",
        \"grant_types\":\"authorization_code password refresh_token iwa:ntlm
        urn:ietf:params:oauth:grant-type:saml2-bearer client_credentialsimplicit\"
        }",
        "clientName": null,
        "clientId": "HfEl1jJPdg5tbtrxhAwybN05QGoa",
        "clientSecret": "l6c0aoLcWR3fwezHhc7XoGOht5Aa"
        }</code></div>
    <br/>

    <p>
        During the API invocation process request, invoke the CXF handler first, which calls an introspection API to
        validate the token. Generate the access token using the already created OAuth application. A sample call to
        generate the access token is shown below.
    </p>
    <p>
        <b>Note:</b> Access token must be generated using correct scope for the resource.
        Scope for each resource is given in resource documentation.
    </p>
    <p>
        <b>Note:</b> The consumer key and consumer secret keys must be Base64 encoded in the format
        <code>consumer-key:consumer-secret</code>
    </p>

    <div class="pre"><code class="bash">curl -k -d "grant_type=password&username=admin&password=admin&<b>scope=apim:api_view</b>" -H "Authorization: Basic SGZFbDFqSlBkZzV0YnRyeGhBd3liTjA1UUdvYTpsNmMwYW9MY1dSM2Z3ZXpIaGM3WG9HT2h0NUFh" https://localhost:8243/token</code></div>
    <br/>

    <p>
        Token response:
    </p>

    <div class="pre"><code class="json">{
        "scope":"apim:api_view",
        "token_type":"Bearer",
        "expires_in":3600,
        "refresh_token":"33c3be152ebf0030b3fb76f2c1f80bf8",
        "access_token":"292ff0fd256814536baca0926f483c8d"
        }</code></div>
    <br/>

    <p>
        Now you have a valid access token, which you can use to invoke an API. Navigate through the API descriptions
        to find the required API, obtain an access token as described above and invoke the API with the
        authentication header. If you use a different authentication mechanism, this process may change.
    </p>
    <p>
        <b>Note:</b> The implementation of WSO2 API Manager 2.1.0 is similar to DCR.
        Since retrieve client application, edit, and delete is only available in DCRM specifications you cannot perform these actions using REST API.
        However, you can view the created OAuth2 application using the Management Console.
        Please see <a href="https://docs.wso2.com/display/AM210/Running+the+Product#RunningtheProduct-AccessingtheManagementConsole">Accessing the Management Console</a>
        for more details.
    </p>
</div>
